Skip to content

Commit 245b301

Browse files
samrosesamrose
committed
fix: consolidate installation etc
1 parent bf8fd55 commit 245b301

File tree

2 files changed

+8
-15
lines changed

2 files changed

+8
-15
lines changed

ansible/files/cis_baseline_check.sh

Lines changed: 7 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2,21 +2,19 @@
22
# Baseline Validation Check
33
#
44
# This script validates that the machine matches the committed baseline
5-
# specifications using the supascan tool from the nix flake.
5+
# specifications using supascan (pre-installed via nix profile).
66
#
7-
# Usage: cis_baseline_check.sh [baselines-dir] [flake-path]
7+
# Usage: cis_baseline_check.sh [baselines-dir]
88

99
set -euo pipefail
1010

1111
BASELINES_DIR="${1:-/tmp/ansible-playbook/audit-specs/baselines}"
12-
FLAKE_PATH="${2:-/tmp/ansible-playbook}"
1312

1413
echo "============================================================"
15-
echo "Baseline Validation Setup"
14+
echo "Baseline Validation"
1615
echo "============================================================"
1716
echo ""
1817
echo "Baselines directory: $BASELINES_DIR"
19-
echo "Flake path: $FLAKE_PATH"
2018
echo ""
2119

2220
# Check baselines directory exists
@@ -27,20 +25,15 @@ fi
2725

2826
# Source nix environment
2927
if [[ -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]]; then
28+
# shellcheck source=/dev/null
3029
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
3130
fi
3231

33-
# Install supascan from the flake if not already installed
34-
echo "Installing supascan from flake..."
32+
# Verify supascan is available
3533
if ! command -v supascan &>/dev/null; then
36-
nix profile install "${FLAKE_PATH}#supascan" --accept-flake-config
37-
echo "✓ supascan installed"
38-
else
39-
echo "✓ supascan already available"
34+
echo "ERROR: supascan not found. It should be pre-installed via nix profile."
35+
exit 1
4036
fi
4137

42-
echo ""
43-
4438
# Run supascan validate
45-
# The tool handles all the logic for running specs and categorizing results
4639
exec supascan validate --verbose "$BASELINES_DIR"

ansible/playbook.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -223,7 +223,7 @@
223223
- name: Run CIS baseline validation
224224
become: yes
225225
shell: |
226-
/bin/bash /tmp/ansible-playbook/ansible/files/cis_baseline_check.sh /tmp/ansible-playbook/audit-specs/baselines /tmp/ansible-playbook
226+
/bin/bash /tmp/ansible-playbook/ansible/files/cis_baseline_check.sh /tmp/ansible-playbook/audit-specs/baselines
227227
when: stage2_nix
228228

229229
- name: nix collect garbage

0 commit comments

Comments
 (0)